RBAC

Kubernetes Cluster RBAC

Thalassa Cloud RBAC (For Human Users & External Integrations)

Thalassa Cloud provides Role-Based Access Control (RBAC) through the Thalassa Cloud Console and API, allowing administrators to manage users, roles, and permissions centrally. This ensures fine-grained access control at both the user and team levels, enforcing security and compliance across Kubernetes clusters.

Key Features:

User and Group Management: Assign permissions at the user or team level.
Platform-Wide Access Control: Roles apply across the platform for consistency.
Seamless Kubernetes Integration: Works alongside native Kubernetes RBAC.
API & Console Management: Configure roles and permissions via the Thalassa Cloud API or web console.

Kubernetes Native RBAC (For In-Cluster Resources)

Kubernetes provides native RBAC mechanisms to regulate access to resources inside a cluster. Thalassa Cloud fully supports Kubernetes RBAC, allowing administrators to define access control rules using standard Kubernetes resources:

Roles: Define permissions within a namespace.
ClusterRoles: Apply permissions cluster-wide.
RoleBindings: Grant a role to a user or service account in a specific namespace.
ClusterRoleBindings: Assign cluster-wide roles to users, groups, or service accounts.

Example: Creating a Role and RoleBinding

The following example defines a role that grants read-only access to Pods within a specific namespace and binds it to a user.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: default
  name: pod-reader-binding
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Apply the configuration:

kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml

This grants the user alice permission to view Pods in the default namespace.

Choosing the Right RBAC Option

Thalassa Cloud provides two distinct RBAC systems, each serving a different purpose:

Thalassa Cloud RBAC should be used for managing human users and external systems that interact with the Kubernetes cluster via the Thalassa Cloud API or Console. This includes developers, administrators, and third-party integrations using Thalassa Cloud Personal Access Tokens.
Kubernetes Native RBAC should be used for resources within the cluster, such as Pods, Deployments, and ServiceAccounts. This ensures proper permission management for applications running inside Kubernetes.

Administrators should use Thalassa Cloud RBAC for managing user identities and API access, while relying on Kubernetes RBAC for workload and infrastructure-level access control inside the cluster. Thalassa Cloud RBAC applies access control at the platform level, ensuring identity management, team-based access, and API permissions. Kubernetes native RBAC is used inside the cluster to control permissions on specific Kubernetes resources.

Administrators should use Thalassa Cloud RBAC for managing users and teams, while relying on Kubernetes RBAC for fine-grained control over workloads and infrastructure.

Summary

Thalassa Cloud RBAC: Centralized access control through API and Console.
Kubernetes RBAC: Namespace and cluster-wide permissions using standard Kubernetes roles and bindings.
Seamless Integration: Both RBAC systems work together to provide layered security.

Additional Resources

Kubernetes RBAC Documentation

Pod Security Standards Validating Admission Policies